Code Injection in ABAP

Play ABAP Labs on this vulnerability with SecureFlag!

ABAP allows invoking functions from dynamic variables, potentially permitting an attacker to manipulate the program’s control flow.

Vulnerable example

The use of CALL TRANSACTION with untrusted data enables potential attackers to call unexpected program units.

PARAMETER: p_function_name TYPE tcode OBLIGATORY DEFAULT 'FN02'.
CALL TRANSACTION p_function_name.

Other verbs, such as CALL FUNCTION and LEAVE TO TRANSACTION, also accept dynamic data.

Prevention

Strive to avoid dynamic procedure calls whenever possible. If that’s not feasible, at least check or sanitize the user input accordingly before using it as a function name.

References

OWASP - Code Injection

CWE - CWE-94: Improper Control of Generation of Code (‘Code Injection’)

SAP - Code Vulnerability Analyzer Checks